Skip to main content

Thermal Imaging Could Help Thieves Steal Your Passwords

By July 23, 2018June 3rd, 2022Cybersecurity

As if there weren’t enough ways for hackers to steal your passwords, now, there’s thermal imaging.  If that sounds like something straight out of a science fiction movie, think again.

Researchers from the University of California at Irvine recently discovered and demonstrated a technique that involves the use of a thermal imaging camera to capture heat traces left by human fingertips as they type passwords into a keyboard.  In fact, their technique is effective for up to thirty seconds after the user removes his hands from the keyboard.

Per the researchers, “Although thermal residue dissipates over time, there is always a certain time window during which thermal energy readings can be harvested from input devices to recover recently entered, and potentially sensitive information.”

The team tested their technique using off the shelf technologies, and on four different keyboards.  Their findings indicated that a full password could be obtained by scanning for thermal residues on those keyboards, provided that the scan was taken within thirty seconds of the first key being pressed.  After a full minute, it was still possible to obtain partial passwords.

They used an FLIR camera on a tripod set two feet from the keyboards being tested, and the results of their findings were published in a paper called simply, “Thermanator.”

FLIR makes a number of different camera models that can capture heat.  Their most basic model, the FLIR One Pro is a $400 accessory available as a smartphone attachment.  Some phones (like the CAT S61) ship with the FLIR module embedded in the technology.

The team noted that the ease with which a password could be detected in this manner had a lot to do with the typing style of the target being monitored.  Passwords entered by “hunt and peck” typists could be gleaned between 19.5 and 31 seconds, while passwords entered by touch typists took upwards of 50 seconds to be gleaned.

Obviously, this is a fairly exotic form of attack.  Although it utilizes off the shelf technology, it would require an extraordinary level of access to set the equipment up, and an extraordinary lack of vigilance on the part of security personnel not to detect the equipment in relatively short order.  Even so, it’s certainly within the realm of possibility, and one more thing to be on guard against.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.